Ivanti Connect Secure zero-day exploited by attackers (CVE-2025-0282)
NEW STORY: Thursday, January 9, 07:30 ET
Ivanti Connect Secure zero-day exploited since mid-December (CVE-2025-0282)
Ivanti has fixed two vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, one of which (CVE-2025-0282) has been exploited as a zero-day by attackers to compromise Connect Secure VPN appliances.
About CVE-2025-0282 and CVE-2025-0283
Both are stack-based buffer overflow issues: CVE-2025-0282 allows for unauthenticated remote code execution, CVE-2025-0283 can be used by a local authenticated attacker to escalate their privileges.
Ivanti says that a “limited number “of customers’ Ivanti Connect Secure appliances have been exploited due to CVE-2025-0282.
“Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix,” the company noted.
“We are not aware of these CVEs being exploited in Ivanti Policy Secure or ZTA gateways. We have no indication that CVE-2025-0283 is being exploited or chained with CVE-2025-0282. As we were conducting our threat hunting, we also discovered the vulnerability being disclosed as CVE-2025-0283 and included it in the patch as well.”
Google’s Mandiant and Microsoft’s Threat Intelligence Center have helped Ivanti respond to this threat, so we can probably expect more information about the attack campaign(s) to be released soon.
Zero-days in a variety of Ivanti solutions – including Connect Secure – have been exploited by attackers throughout 2024.
What to do?
For the moment, patches are only available for supported versions of Ivanti Connect Secure; those for Policy Secure and Ivanti Neurons for ZTA gateways are in the works, and will be available on January 21.
The company asks customers to use both the internal and external Ivanti Connect Secure integrity checker tool (ICT) to verify whether the image installed on their Connect Secure appliances has been modified, while acknowledging at the same time that the ICT scan “cannot necessarily detect threat actor activity if they have returned the appliance to a clean state.”
If the scan reports changes, Ivanti advises:
- Performing a factory reset on the appliance to ensure any malware is removed
- Putting the appliance back into production using the version with the fix (v22.7R2.5)
Ivanti says it will share indicators of compromise with customers that have confirmed impact, so they can use them for forensics investigation. Additional information can be had by opening a ticket with support.